https://community.cisco.com/t5/wireless/web-authentication-and-mac-spoofing/m-p/2055247#M19336 <HTML><HEAD></HEAD><BODY><P> Thanks for the welcome</P><P></P><P>For Web Auth i use local user in the WLC created by lobby ambassador.</P></BODY></HTML> Tue, 02 Oct 2012 12:11:37 GMT Gabriele01_2 2012-10-02T12:11:37Z https://community.cisco.com/t5/wireless/web-authentication-and-mac-spoofing/m-p/2055245#M19334 <P>I have a 5508 WLC and some 3502i CAP.</P><P>I have configured a guest SSID with no encryption and Web Authentication.</P><P>If an attacker client use a spoofed mac address of a client correctly authenticated he can access without any authentication.</P><P>Is there anything i can do to prevent this?</P><P>Use MFP would be complicated since many client are not CCX v5 compliant.</P> Sun, 04 Jul 2021 05:44:56 GMT https://community.cisco.com/t5/wireless/web-authentication-and-mac-spoofing/m-p/2055245#M19334 Gabriele01_2 2021-07-04T05:44:56Z https://community.cisco.com/t5/wireless/web-authentication-and-mac-spoofing/m-p/2055246#M19335 <HTML><HEAD></HEAD><BODY><P>Welcome to the forums ..</P><P></P><P>What are you using for Web Auth, email, simple accept, logon ? </P><P></P><P></P><P></P><P>__________________________________________________________________________________________ <BR />"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin</P></BODY></HTML> Mon, 01 Oct 2012 15:51:41 GMT https://community.cisco.com/t5/wireless/web-authentication-and-mac-spoofing/m-p/2055246#M19335 George Stefanick 2012-10-01T15:51:41Z https://community.cisco.com/t5/wireless/web-authentication-and-mac-spoofing/m-p/2055247#M19336 <HTML><HEAD></HEAD><BODY><P> Thanks for the welcome</P><P></P><P>For Web Auth i use local user in the WLC created by lobby ambassador.</P></BODY></HTML> Tue, 02 Oct 2012 12:11:37 GMT https://community.cisco.com/t5/wireless/web-authentication-and-mac-spoofing/m-p/2055247#M19336 Gabriele01_2 2012-10-02T12:11:37Z https://community.cisco.com/t5/wireless/web-authentication-and-mac-spoofing/m-p/2055248#M19337 <HTML><HEAD></HEAD><BODY><P>Well for one, this is guest access, so they should not be able to access your internal network anyway correct. There also can only be one MAC address at one time. There also is a session timeout value which forces a login again and an idle timeout value. Like in any WebAuth out there, the guy that wants to hop on to a guest network would have to wait until the original user leaves. </P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Tue, 02 Oct 2012 13:24:27 GMT https://community.cisco.com/t5/wireless/web-authentication-and-mac-spoofing/m-p/2055248#M19337 Scott Fella 2012-10-02T13:24:27Z